Open Bug 1928929 Opened 1 month ago Updated 21 days ago

Make TrustedTypeUtils::ProcessValueWithADefaultPolicy work with workers

Categories

(Core :: DOM: Security, task)

task

Tracking

()

People

(Reporter: fredw, Unassigned)

References

(Blocks 5 open bugs)

Details

(Whiteboard: [domsecurity-backlog])

See

https://w3c.github.io/trusted-types/dist/spec/#process-value-with-a-default-policy-algorithm
https://w3c.github.io/trusted-types/dist/spec/#integration-with-html

It's retrieving the defaultPolicy of the trusted type policy factory of the global object passed as a parameter, and such a trusted type policy factory is available on either a Window or a Worker.

But in our code we are only retrieving it as window:
https://searchfox.org/mozilla-central/rev/964b8aa226c68bbf83c9ffc38984804734bb0de2/dom/security/trusted-types/TrustedTypeUtils.cpp#139

the function also as a comment which I don't really understand (I'll replace it with a TODO pointing to that new bug instead):

// Since this function is for `TrustedHTML`, the `TrustedTypePolicyFactory`
// has to stem from the inner window, not from a Worker.

I think the present bug is a bit different from bug 1901492: ProcessValueWithADefaultPolicy does not involve a CSP and we can probably already change the function to retrieve the trustedTypePolicyFactory from a Window or Worker. However, ProcessValueWithADefaultPolicy is also only called from GetTrustedTypesCompliantString after it successfully get a CSP, so probably this change won't have any effect for now anyway. Maybe that's what the comment above meant.

Severity: -- → N/A
Whiteboard: [domsecurity-backlog]

(In reply to Frédéric Wang (:fredw) from comment #0)

See

https://w3c.github.io/trusted-types/dist/spec/#process-value-with-a-default-policy-algorithm
https://w3c.github.io/trusted-types/dist/spec/#integration-with-html

It's retrieving the defaultPolicy of the trusted type policy factory of the global object passed as a parameter, and such a trusted type policy factory is available on either a Window or a Worker.

But in our code we are only retrieving it as window:
https://searchfox.org/mozilla-central/rev/964b8aa226c68bbf83c9ffc38984804734bb0de2/dom/security/trusted-types/TrustedTypeUtils.cpp#139

the function also as a comment which I don't really understand (I'll replace it with a TODO pointing to that new bug instead):

// Since this function is for `TrustedHTML`, the `TrustedTypePolicyFactory`
// has to stem from the inner window, not from a Worker.

Workers don't support HTML injection sinks. Only the ones for TrustedScript (e.g. eval) and perhaps TrustedScriptURL. Hence, when [1] is called, that call currently has to stem from a Window.

I think the present bug is a bit different from bug 1901492: ProcessValueWithADefaultPolicy does not involve a CSP and we can probably already change the function to retrieve the trustedTypePolicyFactory from a Window or Worker.

Correct.

However, ProcessValueWithADefaultPolicy is also only called from GetTrustedTypesCompliantString after it successfully get a CSP, so probably this change won't have any effect for now anyway. Maybe that's what the comment above meant.

[1] https://searchfox.org/mozilla-central/rev/f732a1651018b7c32002981a9c8b8613975ffbf9/dom/security/trusted-types/TrustedTypeUtils.cpp#132

(In reply to Mirko Brodesser (:mbrodesser-Igalia) from comment #1)

Workers don't support HTML injection sinks. Only the ones for TrustedScript (e.g. eval) and perhaps TrustedScriptURL. Hence, when [1] is called, that call currently has to stem from a Window.

Thanks for the clarification. Since in my patch I'm extending the functions to support TrustedScript/TrustedScriptURL, I guess it makes sense to remove this comment and add a TODO to the present bug instead.

Blocks: 1931856
Blocks: 1931829
Blocks: 1931293
Blocks: 1916956
You need to log in before you can comment on or make changes to this bug.